Red Hat Enterprise Linux (RHEL)

GVfs FTP Backend IP/Port Spoofing Allows Client Port Scanning
CVE-2026-28295 4.3 - Medium - February 26, 2026

A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode (PASV) response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the malicious server to probe for open ports accessible from the client's network.

SSRF

udisks Unprivileged LUKS Header Backup via D-Bus Policy Check Bypass
CVE-2026-26104 5.5 - Medium - February 25, 2026

A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.

AuthZ

udisks: Unprivileged D-Bus API allows LUKS header overwrite
CVE-2026-26103 7.1 - High - February 25, 2026

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.

AuthZ

389-ds-base Heap Buffer Overflow in schema_attr_enum_callback
CVE-2025-14905 7.2 - High - February 23, 2026

A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).

Heap-based Buffer Overflow

QEMU VMDK OOB Read Leak or DoS
CVE-2026-2243 5.1 - Medium - February 19, 2026

A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS).

Out-of-bounds Read

QEMU KVM Xen Guest Off-By-One heap OOB access in Xen physdev
CVE-2026-0665 6.5 - Medium - February 18, 2026

An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.

Memory Corruption

QEMU uefi-vars Buffer Size vs Transfer I/O Info Leak
CVE-2025-8860 3.3 - Low - February 18, 2026

A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. The function allocates a heap buffer without zeroing the memory, leaving the buffer filled with residual data from prior allocations. When the guest later reads from register UEFI_VARS_REG_PIO_BUFFER_TRANSFER, the .read callback `uefi_vars_read` returns leftover metadata or other sensitive process memory from the previously allocated buffer, leading to an information disclosure vulnerability.

Improper Removal of Sensitive Information Before Storage or Transfer

QEMU virtio-crypto AKCIPHER DoS via unchecked memory allocation
CVE-2025-14876 5.5 - Medium - February 18, 2026

A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.

Allocation of Resources Without Limits or Throttling

Fedora Linux: Kernel Lockdown Disabled, Unsigned Module Loading
CVE-2025-1272 7.7 - High - February 18, 2026

The Linux Kernel lockdown mode for kernel versions starting on 6.12 and above for Fedora Linux has the lockdown mode disabled without any warning. This may allow an attacker to gain access to sensitive information such kernel memory mappings, I/O ports, BPF and kprobes. Additionally unsigned modules can be loaded, leading to execution of untrusted code breaking breaking any Secure Boot protection. This vulnerability affects only Fedora Linux.

glibc Insufficient Entropy via getrandom/arc4random After Fork
CVE-2025-0577 4.8 - Medium - February 18, 2026

An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions.

Insufficient Entropy

libsoup HTTP Range Header flaw may read arbitrary memory
CVE-2026-2443 5.3 - Medium - February 13, 2026

A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.

Out-of-bounds Read

BusyBox Tar Extraction Hardlink/Symlink Escalation Vulnerability
CVE-2026-26158 7 - High - February 11, 2026

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

External Control of File Name or Path

BusyBox: Archive Utils Path Traversal Enables Arbitrary File Overwrite
CVE-2026-26157 7 - High - February 11, 2026

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

External Control of File Name or Path

GnuTLS DoS via oversized SANs in certificates
CVE-2025-14831 5.3 - Medium - February 09, 2026

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Inefficient Algorithmic Complexity

Keylime 7.12+ TLS Auth Bypass: Unauth Admin Ops
CVE-2026-1709 9.4 - Critical - February 06, 2026

A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.

Key Exchange without Entity Authentication

libsoup HTTP Request Smuggling via Malformed Chunk Headers
CVE-2026-1801 5.3 - Medium - February 03, 2026

A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure.

HTTP Request Smuggling

SoupServer HTTP Request Smuggling via Chunked TE + Keep-Alive
CVE-2026-1760 5.3 - Medium - February 02, 2026

A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions.

HTTP Request Smuggling

Libsoup Multipart HTTP Response Buffer Overflow CVE-2026-1761
CVE-2026-1761 8.6 - High - February 02, 2026

A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction.

Stack Overflow

Memory Leak in libxml2 xmllint Shell Leads to Local DoS
CVE-2026-1757 6.2 - Medium - February 02, 2026

A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Memory Leak

Proxy Auth Leakage in libSoup on Redirects
CVE-2026-1539 5.8 - Medium - January 28, 2026

A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data.

Insertion of Sensitive Information Into Sent Data

HTTP Header Injection in Libsoup via CRLF in Content-Disposition
CVE-2026-1536 5.8 - Medium - January 28, 2026

A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction.

CRLF Injection

GLib Unicode Case Conversion Integer Overflow Causes Out-of-Bounds Write
CVE-2026-1489 5.4 - Medium - January 27, 2026

A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.

Memory Corruption

Local DoS via GLib Content Type Parsing Buffer Underflow
CVE-2026-1485 2.8 - Low - January 27, 2026

A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.

buffer underrun

GLib Base64 Buffer Overflow via Integer Underflow
CVE-2026-1484 4.2 - Medium - January 27, 2026

A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.

Memory Corruption

CRLF Injection in libsoup Host Header via HTTP Proxy
CVE-2026-1467 5.8 - Medium - January 27, 2026

A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services.

CRLF Injection

GnuTLS Stack Buffer Overflow in PKCS#11 Init Allows DoS/Code Exec
CVE-2025-9820 4 - Medium - January 26, 2026

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.

Stack Overflow

Privilege Escalation Vulnerability in NetworkManager (CVE-2025-9615)
CVE-2025-9615 - January 26, 2026

A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.

Improper Preservation of Permissions

RedHat CVE-2026-0810 gix-date::TimeBuf::as_str non-UTF8 UB
CVE-2026-0810 6.8 - Medium - January 26, 2026

A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences.

Incorrect Calculation of Multi-Byte String Length

Information Disclosure in Go Viper Mapstructure WeakDecode via Error Messages
CVE-2025-11065 5.3 - Medium - January 26, 2026

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.

Generation of Error Message Containing Sensitive Information

CVE-2026-0988: Glib g_buffered_input_stream_peek Integer Overflow
CVE-2026-0988 3.7 - Low - January 21, 2026

A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).

Integer Overflow or Wraparound

libxml2 XML Catalog DoS via Repeated <nextCatalog> Recursion
CVE-2026-0992 2.9 - Low - January 15, 2026

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Resource Exhaustion

Denial-of-Service via Unbounded <include> Recursion in libxml2 RelaxNG Parser
CVE-2026-0989 3.7 - Low - January 15, 2026

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Stack Exhaustion

libxml2 Uncontrolled Recursion in xmlCatalogXMLResolveURI Causing DoS
CVE-2026-0990 5.9 - Medium - January 15, 2026

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Stack Exhaustion

vsftpd ls Cmd Integer Overflow Causing DoS
CVE-2025-14242 6.5 - Medium - January 14, 2026

A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence.

Integer Overflow or Wraparound

libsoups WebSocket Frame OOB Read (CVE-2026-0716)
CVE-2026-0716 4.8 - Medium - January 13, 2026

A flaw was found in libsoups WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoups WebSocket support with this configuration may be impacted.

Buffer Access with Incorrect Length Value

libsoup NTLM auth signed int overflow causes stack corruption
CVE-2026-0719 8.6 - High - January 08, 2026

A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This results in incorrect memory allocation on the stack, followed by unsafe memory copying. As a result, applications using libsoup may crash unexpectedly, creating a denial-of-service risk.

Stack Overflow

Undertow Host Header Validation Flaw Enables Cache Poisoning
CVE-2025-12543 9.6 - Critical - January 07, 2026

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

Improper Input Validation

libnbd URI Injection Enables Code Execution via Malicious SSH Args
CVE-2025-14946 4.8 - Medium - December 19, 2025

A flaw was found in libnbd. A malicious actor could exploit this by convincing libnbd to open a specially crafted Uniform Resource Identifier (URI). This vulnerability arises because non-standard hostnames starting with '-o' are incorrectly interpreted as arguments to the Secure Shell (SSH) process, rather than as hostnames. This could lead to arbitrary code execution with the privileges of the user running libnbd.

Argument Injection

HTTP Host Header Smuggling via libsoups Duplicate Host Handling
CVE-2025-14523 8.2 - High - December 11, 2025

A flaw in libsoups HTTP header handling allows multiple Host: headers in a request and returns the last occurrence for server-side processing. Common front proxies often honor the first Host: header, so this mismatch can cause vhost confusion where a proxy routes a request to one backend but the backend interprets it as destined for another host. This discrepancy enables request-smuggling style attacks, cache poisoning, or bypassing host-based access controls when an attacker supplies duplicate Host headers.

HTTP Request Smuggling

glib GIO escape_byte_string overflow causes heap buffer DoS
CVE-2025-14512 6.5 - Medium - December 11, 2025

A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Integer Overflow or Wraparound

GLib GVariant Buffer Underflow Heap Corruption (CVE-2025-14087)
CVE-2025-14087 5.6 - Medium - December 10, 2025

A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.

Integer Overflow or Wraparound

Heap Buffer Overread in util-linux setpwnam() (256-byte usernames)
CVE-2025-14104 6.1 - Medium - December 05, 2025

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Out-of-bounds Read

WebKitGTK Unexpected Crash from Malicious Web Content (CVE-2025-66287)
CVE-2025-66287 8.8 - High - December 04, 2025

A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling.

Classic Buffer Overflow

WebKitGTK File DragDrop Info Disclosure (CVE-2025-13947)
CVE-2025-13947 7.4 - High - December 03, 2025

A flaw was found in WebKitGTK. This vulnerability allows remote, user-assisted information disclosure that can reveal any file the user is permitted to read via abusing the file drag-and-drop mechanism where WebKitGTK does not verify that drag operations originate from outside the browser.

Origin Validation Error

Local Priv Esc via ABRT Daemon Shell Injection
CVE-2025-12744 8.8 - High - December 03, 2025

A flaw was found in the ABRT daemons handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.

Shell injection

Glib Heap Buffer Overflow in g_escape_uri_string()
CVE-2025-13601 7.7 - High - November 26, 2025

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Integer Overflow or Wraparound

Out-of-Bounds Read / Integer Underflow in WebKitGTK (UIProcess DoS)
CVE-2025-13502 7.5 - High - November 25, 2025

A flaw was found in WebKitGTK and WPE WebKit. This vulnerability allows an out-of-bounds read and integer underflow, leading to a UIProcess crash (DoS) via a crafted payload to the GLib remote inspector server.

Out-of-bounds Read

Keylime Agent: UUID Overwrite via TPM ID Spoof
CVE-2025-13609 8.2 - High - November 24, 2025

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.

Use of Multiple Resources with Duplicate Identifier

GRUB2 UAF in network module => DoS
CVE-2025-54770 4.9 - Medium - November 18, 2025

A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability

Dangling pointer

GRUB2 Normal Module UAF Can Crash or Leak Data
CVE-2025-61664 4.9 - Medium - November 18, 2025

A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

Dangling pointer